A Holistic View: Internal MFT in the Financial Services Industry

John Wilson, Director of Solution Enablement – FSI, Axway

“When you think of setting up an SLA, and that causes you to cringe, that’s going to be a good indication that there’s areas for improvement. If you still have the memory of looking through all those audit logs for that lost file or trying to back out a duplicate file that was loaded…(if) those are still fresh in your mind, then these also may be good indicators as well. It’s a super competitive market. Any black mark to your reputation can cause devastation. Causes undue expenses, lost revenue, and even loss of customers.”

The Infrastructure Does Not Understand the Data Itself

Taher Elgamal, CSO, Axway

“All companies today get to deal with information that somebody else owns, and that’s a very interesting thing. If I’m processing the information on behalf of someone, that  information can have a lot of confidential…things, can have a lot of privacy issues for individuals, and so on and so forth. It turns out that it’s really, really difficult to understand data as a piece of the infrastructure. You have to do a lot of work. Effectively, a lot of the data leakage protection products actually ended up doing that.  …if you try to fast forward several years from now, I think these technologies will end up being part of an audit, not part of the operational management of the network or the security of the network or the security of the applications or any of that. And I think that at some point the applications that manage data will end up taking a lot of the interesting technologies that you can use to understand what the data is about, understand what to do with the data, understand how to impose policies and enforce things and understand who’s allowed to do what with the data versus who’s not.”

From Survival to Revival: The Evolution of Financial Services Delivery Platforms

John Applegate, Director, Financial Services Solutions, Axway

Exchanging Information Safely and Securely within Your Ecosystem

Exchanging Information Safely and Securely within Your Ecosystem

Embedding DLP Tools in Applications Will Bring Better Results

Taher Elgamal, CSO, Axway

Don’t Ignore the “Paranoid” Security Guy, Part 2

by Taher Elgamal
Chief Security Officer
Axway

(To read Part 1, click here.)

This is going to continue to be an arms race for a long time.

I don’t think society will actually change. People in important positions don’t even listen to financial experts, let alone IT security experts. And I’m willing to bet money that there is another financial problem that somebody has warned us about, and that nobody is paying attention to, because of the cost. People are hesitant to take action with anything that involves cost. I’m not saying you should spend money on a whim. But there are certainly a collection of experts in every single one of these technical fields that can make a judgment call as to how much risk a system is willing to take and when we must draw the line. And right now, we’re drawing the line so far out that a lot of criminals can gain a great deal of unauthorized access, and the level of fraud online carried out today is indicative of this.

The real issue is a fundamental lack of imagination on the part of the decision makers and CEOs. “Why am I going to spend all this money?” the CEO asks. The CEO waits until a regulation comes up. When the government actually speaks up and sticks a regulation to a certain type of company for something, the CEO puts forth the effort to get there. The problem with mere regulation—and this is how the entire system works—is that it doesn’t solve the real problem. It just makes people compliant. It does not make sure that the wrong people don’t gain unauthorized access, it just makes sure that the right people are acting just a little bit more safely. It’s true, I’ll admit, it is a little bit better to be compliant with all these regulations. But it does not address the real issue.

Finally, consider this:

If the concern over cyber issues is now an integral part of business, if it’s no longer a back office thing, if it’s now front and center, in the middle of everything, then cybersecurity people should be involved in the decision-making process, not just dismissed as back-office techies. That implies more training for the cybersecurity people to both be able to evaluate risk and to understand the particular business needs that the enterprise faces. Are you ready for that?

Don’t Ignore the “Paranoid” Security Guy, Part 1

by Taher Elgamal
Chief Security Officer
Axway

Michael Fitzgerald’s excellent piece for CSOOnline.com, “Organized Cybercrime Revealed,” continues to be pointed to on Twitter more than a month after its publication.

And rightly so. It’s a nice article, full of excellent details and compelling information.

But the thing that puzzles me always about an article like this is why it discusses, as news, something that is completely expected. If you put money in front of a criminal, what do you think they’re going to do with it? We’ve continued to blame criminals for criminal acts, which makes no sense: it’s what they do! When society provides opportunities for criminals to act like criminals, it’s society who is truly at fault.

If you would’ve asked anyone in the security/technical community—any reasonable CSO—at any time in the last fifteen years, “How will the profile of a hacker shift in the future?”, they would’ve told you that the smart hacker who wants to be famous by writing cute little viruses will be replaced by an actual criminal committing an actual crime, because things online aren’t secured very well. Sure, we have some controls and technologies deployed, but there has not been enough support to deploy even simple authentication technologies, and the absence of these technologies gives modern hackers gumption. The entire Web runs on passwords, and these passwords are very easy to guess. And that this is still the paradigm reflects a fundamental ignorance on the part of business people and governments. People who implement systems and run corporations—they don’t want to listen to security guys because security guys are, in their opinion, flat-out paranoid. Why would you want to listen to a paranoid guy tell you that there is a possibility that at some point in the future something bad will happen? But despite the fact that so many bad things are happening, and this “just ignore the paranoid security guy” attitude led to these bad things, we still think this way.

In the second part of this blog entry, I’ll speculate on where this is all going.

Raise Consciousness—Not Frustrations—With DLP

by Willy Leichter
Director, Product & Solutions Marketing
Axway

I want to be the voice of the realist here, because there’s a lot of hype around DLP, yet DLP implementation projects have often failed because it can be such a complex, daunting undertaking.

Many organizations put limits on the size of the files their employees can transmit, but they don’t tell the employee what to do if they need to send something larger. This leads to a lot of well-intentioned employees coming up with ways to send large files and get their jobs done.

As numerous bleeding-edge companies pilot DLP projects, they find it can be an enormous challenge. When you consider all the possible ways information can leak, most organizations resemble Swiss cheese. How do you plug up all those holes?

That question leads to a couple dilemmas. One, if you lock things down well, then you shut down business, an effect worse than the problem you’re trying to solve.  Two, the business-unit owner is supposed to own the information, but since IT is usually running the DLP products, they’re put in the position of being the bad guys who force the business-unit owner to confront issues that they do not want to confront.

To keep this from being too overwhelming, I recommend a couple of basic starting points that will maximize your DLP effectiveness while minimizing your frustrations.

First, instead of trying to boil the ocean, look for things that have become established best practices and the information that is most critical for your organization to protect. This doesn’t include all possible things that might need protecting, just really top-of-the-list information. And often, that’s regulated information. Healthcare data is obvious. But, PCI compliance, credit card numbers, social security numbers—those are the things that, more and more, you need to be concerned about. In a vast orchard of data, this is low hanging fruit!

Second, protect the obvious egress point: email. There are pretty straightforward steps that almost all organizations should be taking to prevent well-intentioned employees from sending sensitive information—often by accident—into the clear, specifically credit card, social security, and healthcare numbers. This is relatively easy and it addresses the most common way people accidentally send information.

Third, think of DLP in the broader case. Trying to thwart someone intent on stealing is much more challenging than preventing mistakes. Focus first on preventing well-intentioned employees from making stupid mistakes, like accidentally copying files that can cause liability, or setting up rogue FTP servers.

Many organizations put limits on the size of the files their employees can transmit, but they don’t tell the employee what to do if they need to send something larger. This leads to a lot of well-intentioned employees coming up with ways to send large files and get their jobs done. A lot of serious incidents have happened this way—employees copying CDs and DVDs, employees sending things over Yahoo accounts to their own computers, employees sending discs via snail mail. IT must not ignore the “What do we do if we don’t allow them to use email to send big files?” question. IT must provide mechanisms that allow employees to reliably send large files rather than just block those files and say no.

It’s important that you raise awareness within the organization that you’re taking steps regarding these issues. If you’re filtering stuff, you should raise alerts and make people aware why you’re taking these steps. Nine times out of ten, once you start content filtering, the incident rate drops dramatically, because employees don’t want an alert and they don’t want to be flagged by IT. They want to comply. These practices tend to train the group better than actual training. And what better proof of an initiative’s success than consciousness being so fundamentally raised that, after a time, the ongoing need for the initiative becomes largely moot?

PCI is Not Enough

by Paul French
VP, Product & Solutions Marketing
Axway

If you Google “Heartland Payment Systems CEO auditor,” you’ll find a recent interview with said CEO, Robert Carr. Heartland is a credit card processor, and they recently got dinged because a whole lot of credit card numbers got stolen. And the CEO’s position was that the company was PCI compliant, they did everything right and the auditors were the ones who screwed up. Now, he wasn’t completely passing the buck (maybe a little bit) but he was trying to make the point to all who would hear it, and that’s this: PCI is not enough.

PCI is just one part of many complex and comprehensive data privacy standards that need to be evaluated and supported.

And I completely agree. PCI is just one part of many complex and comprehensive data privacy standards that need to be evaluated and supported, but it’s not enough to treat it like a box of soap (e.g., “Big Name Bank—Now with PCI compliance!”).

There was a time in the recent past when that was enough to get you off the hook. But that’s not going to help Heartland. It didn’t help a company called Hannaford Brothers, which had a data leak problem and was also PCI compliant.

It’s important to actually think about compliance as a modular effort. You have a certain set of tools and policies that evolve to satisfy the external regulatory bodies you’re forced to comply with. And that’s great. But it’s absolutely critical to go above and beyond the call of compliance so that legislative, regulatory, customer, partner and contractual requirements aren’t summarily forced upon you. Everyone will believe that you have what’s necessary to be secure, and rightly so.

You shouldn’t buy one solution that only addresses PCI any more than you should buy one car that only takes you to the office, one car that only takes you to the grocery store, one car that only takes you to the theater, and one car that only takes you to the football game. You should buy one car that takes you everywhere you need to go, and you should buy a comprehensive data security and compliance solution that will account for all the different needs of all the different venues, jurisdictions and industries that you participate in.

(Photo by djlicious: http://www.flickr.com/photos/djlicious/ / CC BY 2.0)